TL;DR: AWS Object Lamba can authorize requests to S3. We can create an Object Lambda that calls Open Policy Agent (OPA) to get a policy decision. This delegation allows us to implement policies using Rego and manage them in Styra Declarative Authorization Service (DAS).

This year’s KubeCon + CloudNativeCon NA featured new and exciting updates from the open source community, and we also hosted our own event, Cloud Native Policy Day with OPA, hosted by Styra. At Cloud Native Policy Day, we were fortunate to host a full roster of Open Policy Agent (OPA) luminaries from leading companies to speak at our event, and we wanted to share some high-level takeaways from their talks– each of which showcased unique ways of using OPA.

With policy as code, policies can be managed and automated using code written in a high-level language. It is a programmatic method of uniformly defining and enforcing policies throughout cloud-native applications and their infrastructure.

As enterprises move their applications to the cloud, they’re adopting finer-grained authorization for their users in order to better secure architectures and applications. Today, many, if not most, organizations use a role-based access control (RBAC) model for secure access. But as the push for fine-grained control grows, many organizations are asking: should we transition to attribute-based access control (ABAC)?

Adopting a fine-grained policy-as-code authorization approach based on Open Policy Agent (OPA)– the leading open-source policy engine– is a huge step forward in building microservices applications that run reliably and securely.

As you probably know by now, PodSecurityPolicy has been deprecated from Kubernetes for over a year, since the release of Kubernetes 1.21. In short PSP was an admission controller that let cluster managers control security by managing pod-specific policy. Like most other admission controllers, PSP could specify requirements one must meet to enter a pod, and deny any requests which don’t meet that requirement. In rare cases, PSP could also modify pod fields, changing requirements for access.

Authentication and authorization are two complementary and critical parts of securing cloud-native applications and infrastructure. Yet, there can be some confusion between these terms. The importance of cybersecurity approaches, such as Zero Trust and the principle of least privilege, make it critical to understand and implement appropriate authorization and authentication processes across cloud-native development.

Access control is a key component of security programs, since it regulates who or what can access data and resources within an organization’s systems. Granting access only to authorized users prevents data breaches and malicious attacks and is a good way to practice the security principle of least privilege. This article focuses on RBAC, a type of access control, and its benefits and implementation.

With the power of modern cloud computing, enterprises are building and updating applications quicker than ever. Expanding your business through the cloud is a fast-paced endeavor, which can be daunting to IAM teams more familiar with on-premises setups. While running applications on self-hosted infrastructure is still a best practice in some cases, businesses are finding it easier than ever to find and pounce on opportunities for growth by shifting to the cloud.

For many OPA users, they find it best to learn by example. That’s why we’re introducing a new Styra Academy Course, “OPA by Example!” For users that want to deepen their policy and Rego knowledge or better operationalize Open Policy Agent (OPA), this free course provides real-world examples to help you on your way.